In previous customer consultation cases, many customer applications directly used SA accounts to connect to SQL Server. If the database management is a little stricter, the application should not be given this kind of permission. Usually the application only needs to perform additions, deletions, modifications, and queries, but rarely DDL operations. Therefore, the principle of "least privilege allocation" should be followed when configuring accounts. Grant the required permissions.
For applications, the minimum permissions are usually given to read permissions, write permissions and execute stored procedure permissions. In order to prevent database information leakage caused by SQL injection, you also need to consider denying the account permission to view definitions. However, it is worth noting that if the permission to view definitions is denied, Bulk Insert will fail. The complete permission definition is as follows:
ALTER ROLE [db_datareader] ADD MEMBER 用户名 ALTER ROLE [db_datawriter] ADD MEMBER 用户名 grant execute to 用户名 deny view definition to 用户名
In SQL Server, the instance level is the login name, while the database level is the user name. The login name can be mapped to a specific library after creation. Therefore, I wrote a complete script to create login names, users, and grant corresponding permissions. The script is as follows:
--创建用户的存储过程, --示例EXEC sp_CreateUser 'UserName','rw','DatabaseName' --EXEC sp_CreateUser 'tesefx','r','Test','0xE39CA97EBE03BB4CA5FF78E50374EEBB' CREATE PROC sp_CreateUser @loginName VARCHAR(50) , @IsWrite VarCHAR(3) , @DatabaseName VARCHAR(50), @Sid VARCHAR(100) ='1' AS PRINT('示例:EXEC sp_CreateUser ''UserName'',''rw'',''DatabaseName''') PRINT('示例:EXEC sp_CreateUser ''UserName'',''rwv'',''DatabaseName'',''0xE39CA97EBE03BB4CA5FF78E50374EEBB''') PRINT('r为只读权限,rw为读写权限,rwv为读写加View Definition权限') IF EXISTS ( SELECT name FROM sys.syslogins WHERE name = @loginName ) BEGIN PRINT N'登录名已存在,跳过创建登录名步骤' END ELSE BEGIN DECLARE @CreateLogin NVARCHAR(1000) DECLARE @pwd VARCHAR(50) PRINT @Sid SET @pwd=NEWID() IF(@sid='1') BEGIN SET @CreateLogin = 'CREATE LOGIN [' + @loginName + '] WITH PASSWORD=N''' + @Pwd + ''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF;' PRINT N'登录名已创建,密码为:'+@pwd END ELSE BEGIN SET @CreateLogin = 'CREATE LOGIN [' + @loginName + '] WITH PASSWORD=N''' + @Pwd + ''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF,sid='+@Sid+';' PRINT N'已经使用SID创建登录名:'+@loginName END EXEC (@CreateLogin) --DECLARE @sidtemp NVARCHAR(50) --SELECT @sidtemp=sid FROM sys.server_principals WHERE name=@loginName --PRINT(N'登录名为:'+@loginName+N' SID为: 0x'+CONVERT(VARCHAR(50), @sidtemp, 2) ) END DECLARE @DynamicSQL NVARCHAR(1000) --切换数据库上下文 SET @DynamicSQL = N'Use [' + @DatabaseName + ']; ' + 'IF EXISTS(SELECT name FROM sys.database_principals WHERE name='''+@loginName+''') Begin Print(''用户名已存在,跳过创建用户名的步骤'') end else begin CREATE USER [' + @loginName + '] FOR LOGIN ' + @loginName + ' end;IF (''' + @IsWrite + '''=''rw'' or ''' + @IsWrite + '''=''rwv'') BEGIN ALTER ROLE [db_datareader] ADD MEMBER ' + @loginName + ';ALTER ROLE [db_datawriter] ADD MEMBER ' + @loginName + '; END ELSE BEGIN ALTER ROLE [db_datareader] ADD MEMBER ' + @loginName + '; ALTER ROLE db_datawriter DROP MEMBER ' + @loginName + ' ;End;grant execute to ' + @loginName + '; if('''+@IsWrite+'''<>''rwv'') begin deny view definition to ' + @loginName + '; end else begin grant view definition to ' + @loginName + '; end' EXEC (@DynamicSQL)
This stored procedure is used to create the login name, user, and corresponding permissions required for the application to connect to SQL Server. This step will be skipped when the user or login name exists. An example of using this stored procedure is:
EXEC sp_CreateUser 'UserName','rw','DatabaseNam' EXEC sp_CreateUser 'tesefx','r','Test','0xE39CA97EBE03BB4CA5FF78E50374EEBB'
The first line of the above execution is to create a standard account, the account name UserName, and give it read and write access to the DatabaseNam library permissions and returns the generated GUID password. The second stored procedure uses the fourth parameter sid to create a login name. Since in AlwaysOn or mirroring environments, the login names at both ends need to have the same SID, a method is provided to create a login name using SID in this case.